Ten tips to meet data compliance audits
Now that you've covered some compliance basics, here are 10 tips that will help you prepare for, and master, the inevitable compliance audits.Know the inspection process in advance. There should be no mystery behind compliance audit requirements or processes, and you can often obtain the examination manual or inspection checklist directly from the regulatory or governing agency. In addition, industry associations and other groups may offer audit guidelines, sample policies and procedures, and even comprehensive audit preparation workshops. All of this can be used to help prepare your own internal audit program. For example, the MIS Training Institute (MISTI) in Framingham, Mass., provides a wide range of internal audit seminars and workshops. Self-auditing is essential for success. It is essential to have a sound internal audit program that includes adequate documentation and follow-up processes. Companies should perform internal data compliance audits regularly and proactively correct any deficiencies. This isn't just for specific industries, like banking or medical product manufacturing. Public companies bound by the Sarbanes-Oxley Act (SOX) or the Health Insurance Portability and Accountability Act (HIPAA) should also conduct internal audits. Remember that outside auditors will look closely at the internal audit system. An absent or inadequate internal audit program will be marked as a deficiency, possibly encouraging a deeper examination. Consider using an independent auditor. While it is certainly possible to conduct your own internal compliance audits, some companies simply don't have the resources or in-house expertise to handle that business function. Independent third-party compliance auditing firms can help to bridge this gap, allowing companies to present regulators with independent results. Be sensitive to changes in your industry. Complacency is one of the biggest threats to data compliance because compliance is not static. It's a "moving target" that shifts and changes based on notable activities within the industry and new enforcement priorities within the regulatory agency. For example, the Basel II capital accord for global banking requires internal analysis and reporting of "operational risk," so banks moving to Basel II will need to update their compliance audit policies and processes to accommodate that new requirement. Auditors will probably tailor their inspection to ensure that any new regulations are accommodated. Be alert to problems within your industry or business environment. Some problems may be systemic, and trouble at one or more companies in your industry may bring the compliance auditors knocking on your door -- even when you haven't done anything yourself. One important example is the recent SEC crackdown on backdating stock options. Incidents of backdating have led to litigation and penalties for convicted parties. Demonstrate that you can keep compliance data secure. Many regulations place security requirements on sensitive data, preventing unauthorized access and safeguarding the data against alteration or destruction within the appropriate retention period. This may involve technologies like encryption and content-addressed storage (CAS) products. During a data compliance audit, inspectors will want to verify that both aspects of these security requirements are in place and working properly. An IT security staff will certainly be familiar with the available controls and safeguards, but internal audit processes should accommodate both concerns. In addition, you should have data retention/deletion policies that are clearly defined for both backup/recovery and archiving. Be ready to demonstrate how "expired" data is actually removed from your storage systems. Be prepared to furnish documentation quickly. It used to be that a company might have days (even weeks) to produce the documentation requested by a compliance auditor. Now regulators are expecting companies to tender documents quickly, and this should be an important focus of your internal audit process. A typical examiner may expect the company's internal compliance officer to access records on demand while the auditor is waiting in the room. Pay attention to legacy IT systems. Although compliance is certainly not an IT-only function, it's important for IT managers to ensure that all of the company's storage and networking infrastructure continues to meet the requirements for security, documentation and other regulatory requirements that might present themselves. This is particularly challenging for aging legacy systems that may not easily keep pace with changing compliance requirements. Upgrades and forklift replacements may be needed to maintain proper adherence, so compliance managers must actively involve IT managers in the data compliance audit process. Don't ignore the importance of disaster preparation. Compliance issues also involve disaster planning and preparedness, so be sure to document your mission critical systems and present a recovery plan for those systems. Compliance auditors may want to see disaster recovery plans for both single component faults and total site disasters. Bring known flaws to the forefront. Finally, if an internal audit reveals a lapse in the infrastructure, this does not necessarily guarantee a data compliance audit failure or severe penalties from a regulator. This is especially true for young organizations that are relatively new to compliance issues. The key is to present any known issues to the auditor, along with a reasonable plan to address and correct the lapse. The penalties for intentionally hiding a known issue can be far worse than discussing the lapse and formulating a plan to fix it.
07 Sep 2007